On Wednesday evening, the news first broke that ticket selling giant Ticketmaster's UK site had suffered a data breach. Around five per cent of Ticketmaster customers, a little less than 40,000 people, are affected with several people reporting being scammed out of money as a result.

As well as their Ticketmaster login information, users' payment data, addresses, name and phone numbers are also at risk. Ticketmaster says it first detected the breach on June 23. All Ticketmaster customers are advised to change their passwords if they use the same password on other sites. Now would also be (another) good opportunity to up your password security, if you haven't done so already.

Advertisement

While only appearing in the news now, this breach has been suspected for several months. And it wasn't even Ticketmaster that spotted the mistake, it was upstart bank Monzo. According to Monzo, the breach started on April 6 when 70 per cent of its customers who reported fraud that day also made a purchase through Ticketmaster, despite only 0.8 per cent of Monzo's total customer base using Ticketmaster during that period.

Monzo alerted Ticketmaster, but the company apparently paid little attention. "They came in for a meeting, and we gave them all of the evidence we had. We never had, and we still don't have, absolute irrefutable proof, but what we had was an overwhelming weight of statistical evidence. The chance of that being a random coincidence is unbelievably small," says CEO Tom Blomfield.

Read next

Reddit hit by data breach after hackers hijack SMS login system

ByMatt Burgess

"So we presented this evidence and we said, 'You guys need to take this seriously' and they conducted an investigation. They came back to us fairly quickly saying, 'Our investigation shows no evidence of a breach, and we don't believe we're the source of this' and now several months later, it comes up that they've been breached all this time."

Unwilling to let the issue go completely, Monzo issued several thousand new cards to its users who could have been affected, but without telling them the identity of the merchant that had caused the issue. In an email sent to those individuals today, it confirmed that Ticketmaster was the reason why it had taken the decision to replace their cards.

How to create a genuinely strong password for your digital life

Advertisement

It would turn out that Ticketmaster was partially correct – it wasn't Ticketmaster that was breached, but one of its subcontractors had been. Inbenta Technologies, who operate a chatbot on Ticketmaster’s site, had modified a line of JavaScript code to customise its basic product to its client’s needs. Ticketmaster then used this code (without Ibenta’s knowledge) on its payments page. Hackers discovered this script, and then modified it to extract payment information, harvesting user information since an unknown date in February.

In a statement, Inbenta CEO Jordi Torras said the vulnerability had been fixed on June 26 and that the company was "truly sorry" that the use of its technology had resulted in the "violation of Ticketmaster users’ privacy”.

Following disclosure of the breach, the Information Commissioner’s Office (ICO) said it was "making enquiries" in relation to the Ticketmaster breach and would be making a decision as to whether it should be dealt with under the 1998 or 2018 Data Protection Acts based on the dates the incident happened and then was discovered. The 2018 act, which brought in GDPR, only came into force on May 25, after the initial discovery but before the incident was disclosed.